Effective 1 September 2023, the revised Federal Act on Data Protection (nFADP) significantly changed the legal framework for processing personal data in Switzerland. While many SMEs have heard of this revision, few have clearly drawn the link between their legal obligations and their IT hosting choices. Yet where you store your data, with which provider and under which jurisdiction, has direct compliance consequences. Here is what you need to know.
What is the nFADP?
The nFADP is the revised version of the Swiss data protection law, adopted to modernise a text dating from 1992 and align it with European standards, in particular the GDPR. It applies to any organisation processing personal data of natural persons in Switzerland, regardless of size. Unlike the European GDPR, the nFADP has no minimum threshold — a 5-person SME is as much affected as a large group.
What the nFADP changes in practice
Duty to report data breaches
Any personal data breach likely to result in a high risk to the data subjects must be notified to the Federal Data Protection and Information Commissioner (FDPIC) without delay. Insecure hosting or an unreliable provider increases this risk.
Records of processing activities
Companies that process sensitive data on a large scale must keep a record of processing activities. This record must indicate where data is stored and who has access.
Transfers of data abroad
The nFADP strictly regulates transfers of personal data to countries that do not provide adequate protection. The United States, for example, are not on the list of countries recognised as adequate by Switzerland without additional contractual guarantees.
Responsibility of processors
If you entrust data processing to an external provider — hosting provider, SaaS vendor, integrator — you remain responsible for the processing. You must ensure that your provider offers sufficient guarantees and conclude a data processing agreement.
Privacy by design and by default
Data protection must be built into your systems from the outset and active by default. This means choosing hosting solutions that allow this level of control.
The direct link to your IT hosting
Where are your data physically located?
This is the fundamental question. If your data are hosted in Switzerland, by a Swiss operator, you operate in a clear and controlled legal framework. If they are hosted abroad — even in a European datacenter — you must ensure that the transfer is covered by adequate contractual guarantees.
The problem of the US CLOUD Act
The major US cloud providers (AWS, Microsoft Azure, Google Cloud) are subject to the CLOUD Act, which allows US authorities to demand access to data held by those companies, even on servers located in Europe or Switzerland. This creates a direct tension with the nFADP requirements on international transfers. Choosing an independent Swiss host, not subject to that jurisdiction, is a simple way to avoid this issue.
Who has access to your data?
The nFADP requires you to answer this question precisely. With colocation hosting in Switzerland, you know exactly who can physically access your servers and under what conditions. With a shared public cloud, this visibility is structurally more limited.
Sensitive data: a stricter regime
The nFADP distinguishes "ordinary" data from "sensitive" data — health data, religious or political opinions, biometric data, data about criminal proceedings, etc. If you process sensitive data, the requirements are even stricter, especially regarding location and security.
What this means in practice for your SME
If you use an ERP, CRM or business SaaS application: Check where your vendor hosts the data. A data processing agreement (DPA) must be in place. If the vendor hosts outside Switzerland or the EU without adequate guarantees, you are potentially in breach.
If you manage your own infrastructure: Prefer hosting in Switzerland with an independent operator. Document where your data are, who can access them and how they are protected. Keep your record of processing activities up to date.
If you use an IT provider or MSP: Make sure a data processing agreement is signed. Check that your provider can document data location and the security measures in place.
nFADP hosting checklist
- ☐ Do you know where your data are physically stored?
- ☐ Is your host subject only to Swiss jurisdiction?
- ☐ Is a data processing agreement in place with every provider?
- ☐ Is your record of processing activities up to date?
- ☐ Do you have a procedure in case of data breach?
- ☐ Do your sensitive data benefit from enhanced protection?
Hosting in Switzerland: a simple answer to a complex question
nFADP compliance does not necessarily require a complete re-architecture. For many Swiss SMEs, the simplest and most robust answer is to host their data with an independent Swiss operator — in a datacenter physically located in Switzerland, under Swiss jurisdiction, with no dependence on foreign groups subject to extraterritorial laws. This is not an absolute guarantee of compliance — you still need to document your processing and train your teams — but it is a solid foundation that considerably simplifies your approach.
In summary
The nFADP is not just about forms or privacy policies. It directly affects your IT infrastructure choices. Knowing where your data is, under which jurisdiction and with what guarantees, has become a legal obligation, not just a matter of best practice.
AlpineDC has dedicated rooms in Lausanne and Crissier, with an autonomous AS198385 network and multi-operator connectivity. Our infrastructures are exclusively located in Switzerland and operated by a local team.